s3.amazonaws.com URL:phishing?

[duelmaster98]

I've gotten these alerts several times saying that a connection to s3.amazonaws.com is aborted because it is infected with URL phishing. The times it has happened are when I looked for something on google and I clicked on one of the roll20.net results, but not every time. I tried going to roll20.net directly without using one of the results and the website doesn't trigger this alert.

Is this a real infection or is it a false positive? Have I been infected with some kind of phishing bug?

I've done full scans with Avast, Malwarebytes Premium, and Superantispyware and found nothing except some tracking cookies with Superantispyware.

If this is the wrong place to ask this, I'm sorry. I wasn't sure where to ask this question as I am not sure if it's a FP or not, or if this falls under WebShield, etc... Please move this thread as appropriate or let me know where else to post this.

Thank you.

[DavidR]

A screenshot of the actual Avast Alert with the Details option selected would be more helpful.

It is possible that there may be content considered suspect:
https://www.google.co.uk/search?q=amazonaws.com

What is Amazonaws?
Amazon Web Services (AWS) is the world's most comprehensive and broadly adopted cloud, offering over 200 fully featured services from data centers globally.

I don't really know what these services might be and if they would be 3rd party functions/content.

Are you actually trying to connect to the link (I suspect not) which is why the screenshot with details displayed may be more helpful.

[duelmaster98]

Thanks for the reply.

I already closed the alert pop-up. Is there a way to pull it back up? I don't see a way to do so.

No, I am not connecting to amazonaws directly. I think the website I am going to (roll20.net) may host content from it so by going to roll20, it connects to amazonaws too? Not too sure.

[DavidR]

No there is no way to pull it up again other than it being triggered, that's why it is important to capture it when it occurs. 
The Web Shield has prevented anything getting to your system from that connection, but not what triggered the connection.

I know in the heat of the moment and you are up to your waist in alligators, the last thing on your mind is draining the swamp.

As a precautionary measure, clear your browser cache plus cookies and monitor the situation.

[duelmaster98]

Ok, I've cleared my browser cache and cookies. What should I be looking out for now?

Can you explain what you mean when you said that the web shield has blocked anything from entering my system, but not what triggered it? I think I understand the difference but just to be sure. I think I know how to trigger this again, but not sure if I should be doing so.

[DavidR]

The object of clearing the browser cache and cookies is a means of checking if one of those was responsible for the connection.

Something on your system tried to connect to a site - it is the Web Shield that scans those internet connections/sites and its listings related to the site.  If it finds an issue it 1. blocks the connection to the site and 2 Alerts.

Triggering it again shouldn't be an issue, given what I have said about the Web Shield function - You can of course describe what you think may be triggering it.

[duelmaster98]

I think the trigger is when I try to go on roll20.net via a google search link. Sometimes I want to look up specific pieces of information on roll20.net and it's faster for me to enter the keywords into google and have the search engine pull up the specific page on roll20.net instead of navigating the website myself. I do it this way because the website has a rather clunky UI and it's a pain to navigate unfortunately.

I attached a screenshot of an example search. It's the first link in the image.

These alerts seem to have started a few days ago for me. I had one on March 31st. Before that, I would do what I described above all the time. Look up something on google that I know is on roll20.net, click on the link to get to that specific page directly.

I use roll20.net quite frequently and when I type the url into my browser directly or navigate to it via my bookmarks, it doesn't trigger anything. I don't know if it's those encyclopedia pages on roll20.net specifically, because they do have images on them that they may or may not be hosting.

[polonus]

Insecurity:

Security Headers
Missing security header for ClickJacking Protection. Alternatively, you can use Content-Security-Policy: frame-ancestors 'none'. Affected pages:
-https://roll20.net/compendium/

Missing security header to prevent Content Type sniffing. Affected pages:
-https://help.roll20.net/hc/en-us

Missing Strict-Transport-Security security header.

Missing Content-Security-Policy directive. We recommend to add the following CSP directives (you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src

polonus

[duelmaster98]

Hi Polonus,

Please explain.

[polonus]

Particular safety measures not implemented by those that maintain the site, making it vulnerable.
Also get 301 errors.

polonus

[duelmaster98]

Is there way to determine if I might be infected with something that bypassed all the scans?

[DavidR]

Is there way to determine if I might be infected with something that bypassed all the scans?

No easy way and not one that can be performed via the avast forums.

Avast has multiple components, the first in this case was the Web Shield, which you have determined what the caused the alert.  Plus polonus gave a reason you are likely to have gotten the alert on that URL.

Any active file on the system gets scanned by the File System shield when it gets initiated.  There is also the Behaviour Shield that would be on the lookout for unusual/suspect behaviour.  So whatever it is has to get through several checks, so it is less likely there is something on your system reaching out, given your explanation of what you believe to have initiated the connection and alert.

Some other issues on roll20.net:
https://en.internet.nl/site/roll20.net/2017565/ - security issues that could be an issue
https://awesometechstack.com/analysis/website/roll20.net/ - Improvement suggestions - outdated software that could be exploited.

That site really need some work to improve security for their users.  This may or may not also lead to the site not being blocked by Avast.